Skip to end of metadata
Go to start of metadata

There are scenarios, when it is needed to limit the number of objects that users see. This would normally be done by using authorizations. But authorizations have their limits. For example, we may normally need to allow users to see basic details of almost any objects. This is often needed because objects may be referenced from tasks, workitems, audit records and so on. Therefore users must be authorized to read such objects. On the other hand we do not want users to list all the objects. But getting and object and listing objects are both considered to be reading by an authorization subsystem. Therefore there is no way to disable one and enable the other.

But there is an elegant way how to limit listing of objects in midPoint user interface: Object Collections and Views. This feature was partially implemented in midPoint 3.9 specifically for the purpose of satisfying this use case. The basic principle is to define a special view containing only those objects that the users can see (e.g. "Employees" view). The remove authorizations for the pages that list all users. And leave only authorizations to access that specific view.

Configuration

Definition of object view in adminGuiConfig in a role:

Definition of object collection as a separate midPoint object:

GUI representation

Authorizations

Users should be authorized to access the "user view" page: http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersView

Make sure that users do not have authorization to access "All users" page (http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll).

See Also

  • No labels